doc/html/test_2fuzz_2bip324_8cpp_source.html

 // Copyright (c) 2023 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.

 #include <bip324.h>
 #include <chainparams.h>
 #include <random.h>
 #include <span.h>
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 #include <test/fuzz/util.h>

 #include <cstdint>
 #include <vector>

 namespace {

 void Initialize()
 {
     static ECC_Context ecc_context{};
     SelectParams(ChainType::MAIN);
 }

 }  // namespace

 FUZZ_TARGET(bip324_cipher_roundtrip, .init=Initialize)
 {
     // Test that BIP324Cipher's encryption and decryption agree.

     // Load keys from fuzzer.
     FuzzedDataProvider provider(buffer.data(), buffer.size());
     // Initiator key
     CKey init_key = ConsumePrivateKey(provider, /*compressed=*/true);
     if (!init_key.IsValid()) return;
     // Initiator entropy
     auto init_ent = provider.ConsumeBytes<std::byte>(32);
     init_ent.resize(32);
     // Responder key
     CKey resp_key = ConsumePrivateKey(provider, /*compressed=*/true);
     if (!resp_key.IsValid()) return;
     // Responder entropy
     auto resp_ent = provider.ConsumeBytes<std::byte>(32);
     resp_ent.resize(32);

     // Initialize ciphers by exchanging public keys.
     BIP324Cipher initiator(init_key, init_ent);
     assert(!initiator);
     BIP324Cipher responder(resp_key, resp_ent);
     assert(!responder);
     initiator.Initialize(responder.GetOurPubKey(), true);
     assert(initiator);
     responder.Initialize(initiator.GetOurPubKey(), false);
     assert(responder);

     // Initialize RNG deterministically, to generate contents and AAD. We assume that there are no
     // (potentially buggy) edge cases triggered by specific values of contents/AAD, so we can avoid
     // reading the actual data for those from the fuzzer input (which would need large amounts of
     // data).
     InsecureRandomContext rng(provider.ConsumeIntegral<uint64_t>());

     // Compare session IDs and garbage terminators.
     assert(initiator.GetSessionID() == responder.GetSessionID());
     assert(initiator.GetSendGarbageTerminator() == responder.GetReceiveGarbageTerminator());
     assert(initiator.GetReceiveGarbageTerminator() == responder.GetSendGarbageTerminator());

     LIMITED_WHILE(provider.remaining_bytes(), 1000) {
         // Mode:
         // - Bit 0: whether the ignore bit is set in message
         // - Bit 1: whether the responder (0) or initiator (1) sends
         // - Bit 2: whether this ciphertext will be corrupted (making it the last sent one)
         // - Bit 3-4: controls the maximum aad length (max 4095 bytes)
         // - Bit 5-7: controls the maximum content length (max 16383 bytes, for performance reasons)
         unsigned mode = provider.ConsumeIntegral<uint8_t>();
         bool ignore = mode & 1;
         bool from_init = mode & 2;
         bool damage = mode & 4;
         unsigned aad_length_bits = 4 * ((mode >> 3) & 3);
         unsigned aad_length = provider.ConsumeIntegralInRange<unsigned>(0, (1 << aad_length_bits) - 1);
         unsigned length_bits = 2 * ((mode >> 5) & 7);
         unsigned length = provider.ConsumeIntegralInRange<unsigned>(0, (1 << length_bits) - 1);
         // Generate aad and content.
         auto aad = rng.randbytes<std::byte>(aad_length);
         auto contents = rng.randbytes<std::byte>(length);

         // Pick sides.
         auto& sender{from_init ? initiator : responder};
         auto& receiver{from_init ? responder : initiator};

         // Encrypt
         std::vector<std::byte> ciphertext(length + initiator.EXPANSION);
         sender.Encrypt(contents, aad, ignore, ciphertext);

         // Optionally damage 1 bit in either the ciphertext (corresponding to a change in transit)
         // or the aad (to make sure that decryption will fail if the AAD mismatches).
         if (damage) {
             unsigned damage_bit = provider.ConsumeIntegralInRange<unsigned>(0,
                 (ciphertext.size() + aad.size()) * 8U - 1U);
             unsigned damage_pos = damage_bit >> 3;
             std::byte damage_val{(uint8_t)(1U << (damage_bit & 7))};
             if (damage_pos >= ciphertext.size()) {
                 aad[damage_pos - ciphertext.size()] ^= damage_val;
             } else {
                 ciphertext[damage_pos] ^= damage_val;
             }
         }

         // Decrypt length
         uint32_t dec_length = receiver.DecryptLength(Span{ciphertext}.first(initiator.LENGTH_LEN));
         if (!damage) {
             assert(dec_length == length);
         } else {
             // For performance reasons, don't try to decode if length got increased too much.
             if (dec_length > 16384 + length) break;
             // Otherwise, just append zeros if dec_length > length.
             ciphertext.resize(dec_length + initiator.EXPANSION);
         }

         // Decrypt
         std::vector<std::byte> decrypt(dec_length);
         bool dec_ignore{false};
         bool ok = receiver.Decrypt(Span{ciphertext}.subspan(initiator.LENGTH_LEN), aad, dec_ignore, decrypt);
         // Decryption *must* fail if the packet was damaged, and succeed if it wasn't.
         assert(!ok == damage);
         if (!ok) break;
         assert(ignore == dec_ignore);
         assert(decrypt == contents);
     }
 }
RandomMixin::randbytes
std::vector< B > randbytes(size_t len) noexcept
Generate random bytes.
Definition: random.h:297

BIP324Cipher::GetSendGarbageTerminator
Span< const std::byte > GetSendGarbageTerminator() const noexcept
Get the Garbage Terminator to send.
Definition: bip324.h:90

Span::first
CONSTEXPR_IF_NOT_DEBUG Span< C > first(std::size_t count) const noexcept
Definition: span.h:205

Span::subspan
CONSTEXPR_IF_NOT_DEBUG Span< C > subspan(std::size_t offset) const noexcept
Definition: span.h:195

bip324.h

assert
assert(!tx.IsCoinBase())

span.h

ECC_Context
RAII class initializing and deinitializing global state for elliptic curve support.
Definition: key.h:321

FuzzedDataProvider.h

ecc_context
ECC_Context ecc_context
Definition: bitcoin-wallet.cpp:134

fuzz.h

LIMITED_WHILE
#define LIMITED_WHILE(condition, limit)
Can be used to limit a theoretically unbounded loop.
Definition: fuzz.h:22

BIP324Cipher::Initialize
void Initialize(const EllSwiftPubKey &their_pubkey, bool initiator, bool self_decrypt=false) noexcept
Initialize when the other side&#39;s public key is received.
Definition: bip324.cpp:34

BIP324Cipher
The BIP324 packet cipher, encapsulating its key derivation, stream cipher, and AEAD.
Definition: bip324.h:19

BIP324Cipher::GetSessionID
Span< const std::byte > GetSessionID() const noexcept
Get the Session ID.
Definition: bip324.h:87

BIP324Cipher::GetOurPubKey
const EllSwiftPubKey & GetOurPubKey() const noexcept
Retrieve our public key.
Definition: bip324.h:54

ChainType::MAIN

InsecureRandomContext
xoroshiro128++ PRNG.
Definition: random.h:415

FuzzedDataProvider
Definition: FuzzedDataProvider.h:32

init
Definition: bitcoin-gui.cpp:17

FUZZ_TARGET
FUZZ_TARGET(bip324_cipher_roundtrip,.init=Initialize)
Definition: bip324.cpp:26

util.h

CKey
An encapsulated private key.
Definition: key.h:34

Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: solver.h:20

BIP324Cipher::GetReceiveGarbageTerminator
Span< const std::byte > GetReceiveGarbageTerminator() const noexcept
Get the expected Garbage Terminator to receive.
Definition: bip324.h:93

BIP324Cipher::EXPANSION
static constexpr unsigned EXPANSION
Definition: bip324.h:27

BIP324Cipher::LENGTH_LEN
static constexpr unsigned LENGTH_LEN
Definition: bip324.h:25

SelectParams
void SelectParams(const ChainType chain)
Sets the params returned by Params() to those for the given chain type.
Definition: chainparams.cpp:134

ConsumePrivateKey
CKey ConsumePrivateKey(FuzzedDataProvider &fuzzed_data_provider, std::optional< bool > compressed) noexcept
Definition: util.cpp:230

CKey::IsValid
bool IsValid() const
Check whether this private key is valid.
Definition: key.h:123